Re: [qubes-users] What hardware to buy for security?Best way to go about FDE? & 3-way authentication? discussion!
On 12/29/2016 08:22 AM, HiringQubesExperts wrote: > Hi all, > > I am planning on buying a 13.3 - 15.6 laptop that I will specifically > use for running qubes, and containing lots and lots of highly > sensitive files. > [] > > I really hope we can start a discussion on these topics that will > lead to a general what-should-I-buy advice when one wants maximum > security from COTS hardware, and open software. > The whole topic is not as simple as you put it: "security" is not a linear measure, hardly even measurable. Hence you cannot ask for "security" as a whole, and it does not come in handy packages on a Walmart shelf. What I generally recommend is to first model the threats, and then build security accordingly. In your message you only mention "highly sensitive files", but not your threats. If you are afraid of software intrusions, you will want to isolate your data from the internet, and then Qubes is a nice place to start. But then you may probably have to make sure your usage habits are sound for this goal (the switch can take some time to get accustomed to). If you are afraid of casual physical thieves, a simple FDE (luks) is way more than enough, but if you are dealing with people intentionally pursuing your files then everything you mentioned in your e-mail is not enough, just added complexity: you will need to think of fake volumes and password for under-coercion data switch, bordering on plausible deniability. If the people pursuing your files have very strong motivations or a big organization (say, a government), you may want to think out of the box (i.e. thermorectal cryptanalysis, or the old but good https://xkcd.com/538/ ): when the owner cooperates any lock opens, be it a 3$ padlock or a multi-million-dollar fort. Likewise, if you travel with that laptop, you may want to research plausible deniability for sensitive data (make it look like the most dumb windows laptop you can but), and having a biometric sensor / unheard-of brands / custom bioses would only raise suspicion. In any case you are likely to have to change some habits, to follow the security guidelines you decide/plan. Qubes by itself is a very nice foundation for both solutions for physical security and software security, and you can add any other feature you want to pick from your list, but just "adding them all" will probably make your computer less secure overall (more software attack surface) and will tire you with the security procedures, prompting you to find shortcuts in the long run or abandon the whole "fort" altogether. -- Alex -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/900deb4f-7114-c1cb-c7ce-5e50095228c2%40gmx.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] What hardware to buy for security?Best way to go about FDE? & 3-way authentication? discussion!
Hi all, I am planning on buying a 13.3 - 15.6 laptop that I will specifically use for running qubes, and containing lots and lots of highly sensitive files. I will also be using tor allot, and for me the main things I care about is being able to get my setup as secure as possible. Things i've thought about so far; OPAL SED SSD for HW based drive encryption. (Second FDE ofcourse) USB PGP-Key for authentication and stuff., also contains (hidden) storage. Keypad encrypted USB for hardware encrypted USB with bootfiles/keyfiles etc. Now for the laptop itself; Is TPM worth it? Im hearing mixed opinions... Also, I definately do not want to put all my eggs in one basket, so would using TPM be possible in a way that it is just one of several parts of the whole security-chain ? I would hate it if someone has a TPM backdoor and compromises my whole system that way, any way to design something with 2 or better yet; 3 way authentication ? What about the processor and bios? Are there any secure/open bioses that work with recent intel processors? As for the processor; are the SGX and other new features that skylake CPU's offer any good? Would it be possible to make use of these features in Qubes? If not, what processor would you guys recommend? I guess Intel right? Are there any laptops out there that have onboard security-hardware that offers any real solid security benefits? I've read allot of posts from Joanna where she kinds of debunks the Cortex M-3 security chip, so I am wondering; are there any other chips like these that are truly open source, and really add some security? What kind of laptop comes to mind when I'm asking for this kind of features? I'm having a very very hard time finding a laptop that I can setup in a way that would make me feel truly secure. I hope you guys can share some advice on these matters. P.S. I'm using the PGP-key stick, and USB-keypad-usb as my "extra security-weapons" are there any other reliable open source hw-security devices out there that you guys would recommend? Would it be possible to add say some biometric security hardware and then have the full disk encryption work in such a way that 3 way authentication would be needed ? Also, we have the software based full disk encryption, and also the HW based OPAL full disk encryption, even though I trust the software based one the most, I would still like to also maximize the security of the samsung SED based one. Would it be possible to have 3-way authentication for both, while having unique keys each? What would be the best way to implement 3-way authentication? Most people advise me on using the combined output of all 3 hw keys, maybe even with some mechanism which unlocks a keyfile or something like that. But to me these things sound like they are not really thought trough; there has to be a better way to implement 3-way (or even 2 way) authentication, at-least for the software based FDE, and maybe even for the samsung OPAL one , right ? Also, what would you guys recommend me to use as encryption method? LVM-LUKS won't let me encrypt the boot partition, and it wont really allow me to use 2-way authentication aswell. What would be the best way to go about encrypting my drive using the hardware available? (PGP-key, USB-keypad, "addyourown" I really hope we can start a discussion on these topics that will lead to a general what-should-I-buy advice when one wants maximum security from COTS hardware, and open software. - HQE -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d57bd23c-7bbc-4dc6-a28f-30f5d9012094%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Archlinux Community Template Qubes OS 3.2
On Mon, Dec 19, 2016 at 3:06 PM, J. Epplerwrote: > Hello, > > I just wanted to thank the person who created and uploaded the > qubes-template-archlinux 3.0.6 to the Qubes OS 3.2 rpm repo. > > Saved a lot of work. > > You can installed it with: > sudo qubes-dom0-update --enablerepo=qubes-templates-community > qubes-template-archlinux > > > A really nice Christmas present! Thanks When I digit sudo pacman-key -populate archlinux I get pacman-key: invalid option -- 'p' Best Fran > > regards > J. Eppler > > -- > You received this message because you are subscribed to the Google Groups > "qubes-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to qubes-users+unsubscr...@googlegroups.com. > To post to this group, send email to qubes-users@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/qubes-users/d812aa94-1d7f-416c-a925-c3e0afa867bf%40googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAPzH-qCps07tLACMScw4jo%3DhwrgLk6HOd5i_OKa6EHfgECNmAg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Fedora-23 Software only shows already installed apps
On Wednesday, December 28, 2016 at 8:02:14 PM UTC-8, Andrew David Wong wrote: > I've never tried the GUI package manager interface. Can you try just > using dnf from the command-line? For example: > > $ sudo dnf install > > - -- > Andrew David Wong (Axon) > Community Manager, Qubes OS > https://www.qubes-os.org That worked thanks! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d905bf56-46a3-4345-9ed0-0247ab733a6c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: How to Backup Qubes Using New USB Hard Drive
Andrew: Success! Everything works now. When I sat down to do this, I realized that I actually only needed one USB qube, and that's the one that I do not want talking to dom0. The keyboard and mouse are already talking to dom0, which I don't want to change. It's all of the other USB devices that I want to send elsewhere. So I set it all up as described above and in the documentation, and it's all working now. I did the backup and tested the restore from backup. Everything appears to be OK. Thank you for your help. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/48d0f4e3-13eb-4d69-be2e-fee43ab29735%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How do I get Qubes 4.0 pre-release/dev build?
On Thursday, 8 December 2016 21:48:05 UTC+1, Marek Marczykowski-Górecki wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On Thu, Dec 08, 2016 at 08:56:25AM -0800, wrote: > > Could someone maybe give some help with the error message? > > The one about missing signed tags? They are in place already - simply > retry. Take a look at "Qubes 4.0 development status update" message on > qubes-devel. > > - -- > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJYScb8AAoJENuP0xzK19cs1wUH/ArYL1S9mfT3GXv8K7pn/xnM > XVudxyPm/a1kx36Amg21w37d358vk8sT5tpZxvT2EjQxY9RnEWKc5B8EEMSPgQSY > N71g2ZkPlQTbjwIZTeU1otM/tBnmMcQtifd2mAkkIJJAYcGtCijlnlePauBqaa10 > FXUxkVjEZs47cjF9n7f1mBwd5+4sONBWAxPBaHcgoiJTxFdQkzSDVWdtwrq57PQ9 > 1s/CF7IIv1+h3fHi5E3+/MqwKTdHgIlkYofaMU9A1z0L+08tCb6jpD2RcP9aP+Nj > 52DCzp4rkjXdx5K1kJzaCgvGzL/7YII85MO/2f/CSozkXU/DdcGjgB8pXHM87ew= > =j5Qa > -END PGP SIGNATURE- Im really sorry for the trouble, but I am still getting loads of errors all the way, even when modifying some things by hand to make it work, errors errors errors. Could you maybe make me a new config file, and make sure that it works before posting it? Maybe also post the exact steps you use to make the whole thing work ? Are you doing anything specials? Ignoring any stuff using -i while running the make command? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b2276f1d-0d2c-443c-8676-26043cbb40ef%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] notify about updates of cloned template
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-12-28 16:03, Eva Star wrote: > How to enable auto checking for updates and notify me if them > exists on the cloned template? > >> qubes-set-updates status > vms: enable > >> qvm-prefs -l fedora-24-clone > updatable: True > > But it does not check for updates! > Update checks are typically run in VMs based on the template, so if you haven't had any VMs running based on that template that can reach update repos, that's probably why. - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYZI5LAAoJENtN07w5UDAwtD8P/iDrR4Ghjhs7iABm7wG2ISA1 dvMFY4bCHBhD8hOZevHmoh0uN8tCvcbgHIdKW3lFMy9vgvFxpx86W/upx4p0BH08 YhTOdfNS1qX7naX3sh6pbo9G+OFIYnFYFNin3lmPQejIT3kjkhcL9taS9YoCn18C QmWVHPM9atpKM5FnqNJvzHrwJ+nuD+9HNPM1nrWvY+M88NFM5dldWQWKRdcAofJJ ZIzkefWX0XA1ORYM2Acrz41Mlb8kAB/Uv9sNS2uZdhPKre44ybaezazhRYuJJFoP VWA8hAhnGdn2zIErHhwFM0v2j5Ckdi028eO6Kbzym2caMrdH3IZf3yZv0ZbPfaXF o8TOcHejz37kZx/owowCU/i2GSt+4CLIugvHxTdm/gASl3bPymvc26I8ZNi0KcaN vz4aGoV/CNObLACzEVfZurOdbNIbqsxbVh0vZmGyYWGZlNMSHGzLaihWPlCNpwVW sOqW1lng0aQHMGX3zeslJrENpSFSRsOrguFhx9vOL//fyPQWmgM/RmyXCv6KkmjB nFWW2tR7ar1MAMlUD+vpZga67lofHcRF/JzJAkKAuFzxtfyJ66fbN5xh9zDOj072 IYQBUMLx8gSyEt8MR28WglmB1qb4aCYv4caIMRsqQSzpQ1nEg/Gucx5sYv6aOlBd 4IlWr8cR5UEdx+p0kp3Z =JNfG -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ee8e1a88-df93-ff5d-6124-9c028bae1e7a%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: 3.2 Install: Error unpacking qubes-template-fedora-23
My freezes for me are pretty random on dozens of different places during the Legacy and UEFI installs, something more than one RPM is broken. I'm blaming my Gigabyte Z97X Gaming mobo, F7 BIOS. I've ordered an ASRock Z97 Extreme6 mobo as that is known to work. I think it's the Gigabyte BIOS that isn't so hot. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/756d0f87-0871-4e28-bd40-4e10b85626fe%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Fedora-23 Software only shows already installed apps
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-12-28 13:22, superlative wrote: > Hi, I can install packages from Debian-8 template VM Packages app > just fine. But Fedora-23 template VM doesn't have any packages > available in the Software app that I don't already have installed. > The only Software Sources that show up in Fedora-23 template VM > Software app is "Qubes OS Repository for VM (updates)". But in > Debian-8 template VM Packages app Package Sources are "Jessie > (main)", "Jessie (main contrib non-free)", and "Jessie updates > (main contrib non-free)". Is it supposed to be like that? > > Thanks > I've never tried the GUI package manager interface. Can you try just using dnf from the command-line? For example: $ sudo dnf install - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYZIq2AAoJENtN07w5UDAwva4P/0Xt5NA3BwjzvXXPyyr141Gb ZYrjcyQPkxakEKnetKsq7aXwlosjeysbbtElzatUv+XNAk+G4FXE/GuK28SA6SD9 D9GWDiOf+/5zS9mQD5589JMUhQXvtcljxTPUBqfLCzy6lg8FlKN1tDFxVsvdF4m7 7S4YgUVbOLS5UXWWBrdw9z4L+Rz3qedF3z6UtD8doQk0sAJM2hmRB3Nej7OQeHch u64Bq8i+kmT9RxjH+SKucHi7V2OUTjGobfFC5BklUU8g690nB542a7OjQzV5Bhoy LJXn4E45aq6pERuSJjMFoxHzIOyaWV7zwGTvwl/95zuoKFc6GzyFIXDpiTYvRLz0 x61Zz0sGlaXUoY6HvcG9F0AU/8gB4XRpHOtOR0YDjb30HOw9OdKRx7W2rpfwijpV 36qba6k+PNayUZkq/mOGlqRUW8FtvbDcpY79k0Bqd4uAckWtnyGC5Ao2UV7xswa7 YiJPJ0WGFHcEypnPk7vdK6EInguyZCFi/9HtJc1mRTOgVb1Z9NhdNLuLD6ySIEWg xJ0+qjffs6KSoLb+VTwTcqlRyhmtMsM+yWU0IAmFCssmJg8WG1OR0XzPUdZVq7NJ k+B8fisiOlLAvtS0D3OyW1E5/eUCWK5mg32Vl8kRxhNl40G80jRT6O2HhtPhyIXR /I2vJJWOYMBkU20cZyIf =T9Kg -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4073e5ec-89b5-3c76-c96c-703c6496b0c8%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: 3.2 Install: Error unpacking qubes-template-fedora-23
I found the same problem on a fresh 3.2 install. One data point of something that looked odd to me is that the sha1/sha256 sums are different between the RPM that's distributed as part of the installer and the supposedly same RPM available via the repo online... The Qubes 3.2 installer iso has: .../Qubes-R3.2-x86_64/Packages/q $ sha256sum qubes-template-fedora-23-3.0.6-201608081228.noarch.rpm c070ecb75b2580aec594d67afc833579c52ccb20e4acf5bc1797bbc93cefde26 qubes-template-fedora-23-3.0.6-201608081228.noarch.rpm $ sha1sum qubes-template-fedora-23-3.0.6-201608081228.noarch.rpm cef6ddb660d0c9cb3fbee54230899ddeb2df64a6 qubes-template-fedora-23-3.0.6-201608081228.noarch.rpm Trying to install this fails. But the package I downloaded (from https://yum.qubes-os.org/r3.2/templates-itl/rpm/) has: $ sha256sum qubes-template-fedora-23-3.0.6-201608081228.noarch.rpm 0b751ae1c94747f026b33767437b25f5bf0d09857430bd7c080992b61a9ca244 qubes-template-fedora-23-3.0.6-201608081228.noarch.rpm $ sha1sum qubes-template-fedora-23-3.0.6-201608081228.noarch.rpm 5e1186e6fcd08e5b99432418655d49fa7fadf796 qubes-template-fedora-23-3.0.6-201608081228.noarch.rpm I haven't yet tried to install this one so I'm not sure that explains anything yet, but it may be indicative of some problem. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2f3f3e9b-df72-4d3f-bb84-463d0c27a4ba%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: trying to pass usb-headset to arch based standalone vm
On Wednesday, December 28, 2016 at 10:39:56 PM UTC, digitaldijjn wrote: > I'm trying to get a usb headset passed to my standalone vm so that I can get > the mic working for rosetta stone. I have wine configured and the program > installed, though when I pass the mic to the vm I can't detect from within > rosetta stone. I've heard that a way to work around this is to use a usb > headset. so right now I'm trying to pass that from sys-usb to arch using > qubes-usb > > I have qubes-usb-proxy-sender installed in sys-usb, I just can't seem to find > the qubes-usb-proxy.x86_64 package online... > > I found the github page for qubes-app-input-proxy which said it needed to be > installed in dom0. I tried to and it's already installed. should I just try > to install that package in the standalone vm as well? so I've managed to download the deb package from debian, transfer it to arch, and install it with debtap and pacman. when I try to use qvm-usb to transfer using the command: qvm-usb -a sys-usb:4-2 it tells me that qubes-usb-proxy is not installed in the VM. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f121af2d-f219-482c-a77b-1452a633962e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: HCL - Lenovo X1 Carbon 4th Gen
I was able to fix the suspend issue not working but updating my kernel to 4.8.12 using: sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable kernel But then WIFI driver failed to reload after exiting suspsend, which got fixed following the steps here: https://www.qubes-os.org/doc/wireless-troubleshooting/ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/01222a33-351b-447b-a4d9-bb7b8a4a0905%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] notify about updates of cloned template
How to enable auto checking for updates and notify me if them exists on the cloned template? > qubes-set-updates status vms: enable > qvm-prefs -l fedora-24-clone updatable: True But it does not check for updates! -- Regards -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/870c48c5-58df-bf3a-e63f-c2166db47ba2%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Heads Bootloader
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Trammell Hudson spoke a couple of days ago about a custom bootloader designed to minimally load the OS in a secure manner, and mentioned he got it compatible with Qubes. Does anyone here have any experience with this? Talk: https://www.youtube.com/watch?v=UqxRPLfrpfA Repo: https://github.com/osresearch/heads - -- kulinacs-BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEPL+ie5e8l/3OecVUuXLc0JPgMlYFAlhkTL0ACgkQuXLc0JPg MlavtA/9GuiOZUlM89830n/0xV7uOpVPksnUrgjY5DxSHwoPgC1mkUzQQvrdWhKO 1GCYen3cbE27Hoyr/I3czBcTfqIQV/yHlQNJDVwyyoQDyC3g3Zq8huS2uqdZjl7l 0TiCA+cZ0jc4xAmgty9YMcmpgTcRMRFzQIVD91zsoAJF8qT66q8FEwgb3YZBGlMp HQ60JkEswDSkyhSy99Iaes3R7AiyXwR8b9+QUwKajwr7IQpdEFQytlxOYGhJXHD7 HRPflgTBSDHYj8zyPzcXHxx/IJw/C+Po+YuWTGy8uoQQzGLNPHwdcjRinRLj+Ru1 MKNUjjXqdRhw6QWBrej6U1fYdCqhg4udMCvDKkWa3xtnfFs+ZKPBU9pQccmGFwle 28EjyDwwakmrQdbVf8M1DvEWlVqBu7rP1BjDnmRJ1hGgnoO4To35gbh78p01/796 xmImBkTBPwNRM/BIrNWXinQtIdD+zHhb1LgRsUPNx9hCStnPCRC4RmkHonqS3Bry sgSk1gzYiveb/P64Qm7sljxrevqLDoY4Gy4deuBcfDW2iZvqp71RI3QAIahVNlPF bjjoLHLJ5wDbSP0xQQBQvTLDn0rgteryUHBkNsBdY07VUo8ZSX4K7wWTXsYNKX4Y LmDOCw9UM6yBL8uaKxUYpeaR2NkdCKWgjqEKrvGb9fMul33Rtvo= =863E -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b98ea523-70b2-e370-7bad-090a2548faed%40kulinacs.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] HCL - Lenovo X1 Carbon 4th Gen
I have tested Qubes 3.2 on my new X1 Carbon laptop, and things mostly worked out of the box. I was able to boot and install Qubes OS from USB via legacy boot mode. I have 128G NVMe drive that came with the machine. It seems to work fine as far as I can tell. Sound/WIFI/SD Card/USB works out of the box. The only issue I noticed is *suspend* mode seems to NOT work with VT-D enabled. -- h221baker -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CALLNp6cdLBxujeiTUTDLTx0kDDKf%2BQ9cKhdGZaSjMMQ6PMx%3DVQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout. Qubes-HCL-LENOVO-20FBCTO1WW-20161228-173545.yml Description: application/yaml
[qubes-users] trying to pass usb-headset to arch based standalone vm
I'm trying to get a usb headset passed to my standalone vm so that I can get the mic working for rosetta stone. I have wine configured and the program installed, though when I pass the mic to the vm I can't detect from within rosetta stone. I've heard that a way to work around this is to use a usb headset. so right now I'm trying to pass that from sys-usb to arch using qubes-usb I have qubes-usb-proxy-sender installed in sys-usb, I just can't seem to find the qubes-usb-proxy.x86_64 package online... I found the github page for qubes-app-input-proxy which said it needed to be installed in dom0. I tried to and it's already installed. should I just try to install that package in the standalone vm as well? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/59f75864-0948-484f-80e4-8ce10a30a88e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] RFC: adding qubes images to the (qubes) repo
if offloading is done for isos: ship the master key with qubes and provide a convenience command to the user. this command should download (e.g. via torrent) and verify the image (a step the user can'd do wrong anymore). this command could spawn a dispvm, install torrent software, load the torrent and copy it to dom0. from there the user could qvm-copy it to the vm with the install medium. This is a different proposal, and it would be a much larger undertaking. It's certainly not something that the core Qubes devs have time to do, so it would have to be a community-developed feature. Would you like to take this project on? my current idea: 1) create a temporary download vm A 2) use wget to get the signature + iso + release signing key 4) create a temporary verify vm B 5) copy the data from A to B 6) destroy A 7) copy the qubes-master key from dom0 to B 4) set the master key to ultimate trust 5) verify the release signing key 6) check the signature 7) copy the image to dom0 8) destroy B you also could do all steps in one vm. i think this should be possible with the current tools. (i would have to look up how to do all this key management stuff via shell. i have not this much time (and am not really skilled), but what i thought about would not be that much work. if this solution is acceptable, i can give it a try. it would be in form of some bash scripts. maybe you could get other official repos to add them, too. (debian (+ubuntu), fedora and arch should reach a significant portion of the linux users) Another interesting idea. I've never heard of a distro adding a different OS's ISO as a package of their own, though. asking can't hurt. Well... why don't you ask them, then? :) some random guy is more likely to be ignored than people officially connected to a project (but i could try to ask them and link them to this thread.) -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7cb32011-da34-b4a0-e9cb-e7942a6fa308%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Firewall Rules for Printer Access?
Thanks for suggesting a network printer. That might be what I have to end up doing. But before I try that, I want to keep trying USB printer. I'll try the USB passthrough method as soon as I figure out how to install qubes-usb-proxy on my Fedora-23 template VM Software app. I created a new thread in this forum to figure that out. It's called "Fedora-23 Software only shows already installed apps". -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4bb662d1-c91a-45f4-a986-eec17102841a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] VMs die when screen is locked for too long
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Dec 28, 2016 at 09:54:08AM +, Fred wrote: > I've noticed this problem a few times now: > > If the screen is locked for too long (this problem doesn't seem to occur > if I unlock the screen a short time after the screen locking) when I > unlock the screen the VMs that were running are now in a yellow state. > There is an error message about error reclaiming memory or something > like that. The memory in use for the VMs still seems to be there and the > CPU is on 0%. Does this sound like some known open issue? Is it about some specific VM, every time different one, or all of them? I'd guess it may be about automatic system suspend after and on this particular hardware sys-net does not survive it. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJYZDGzAAoJENuP0xzK19csGVUH/RnA5B23j0G7+x+B+dSz5HG6 PuDwoi18+3UXvfGvmbT5IljbLEchgjs3tpzzzLez7znh4VLRUUbfMuzFKbYRdEFJ 8JAKCiMi3sNqm3I36MiD0z4VYX3fNg88dUs4Q73GYVZSUCVm7TmVZ7rpoVA3DZe7 +zPQKS+AT/dWEEgf1A8fQc1hJO2wUJBmFWZ8jCCB7WVoHn/LRvnb38oK6+0oOUIU AReA7oYIJD1xFf7KgATmEv0uOh6kW3czdzGVgVFS8YhIu4bqQ/AtQ2S8nhHXFwc1 elq9HISyH47M5ss/ZBW6wy5nlVpxoFI1upmiM/zlsgiRRHOXePfMnKuvcwyVhbs= =Mb/r -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161228214210.GN1159%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Synaptic touchpad not working through usbVM
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Dec 28, 2016 at 09:57:38AM +, Fred wrote: > Hi all, > > My touchpad doesn't work now that I've started using a usbVM. If I > attach a USB mouse I get a prompt asking me if I wish to allow it. For > the touchpad no prompt and it doesn't work even if I set the RPC policy > for InputMouse to allow. Interesting, do you have that touchpad really as a USB device? If so, it's probably not supported by InputMouse service - probably we need InputTouchpad, or sth like this. It would be really helpful if you collect some more information: 1. Install 'evtest' tool in your template. 2. Restart sys-usb (or the whole system). 3. Launch terminal in sys-usb and call evtest on everything you find in /dev/input - one of those should be your touchpad - post what you've got there. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJYZC+rAAoJENuP0xzK19cst7MIAIysSYusYzzEkhyaq31kpPvV J82G9ZwaHRJxFl/R9hEnEIL/BZ0nbD7S/5oNMkXexaIfX/RP+FI58kdRDKBaH7c7 elc0d+hq9bIdCfCU4dxsM14vKURtdy1H/SDxzMnM/pXK48v/wZVpqyDQh63taR01 f0Abg5M0gtsa+zV99vhCLIhCgDOCJGnkF+VlplfT3axSeg0dCmFxSTy8xQ2qyNgP 3nxSfthWIL56B255wj4NGY3hZSN/qOtJ+kB3g9M/10kAjydANWFO0JgWIaIpn8YW 3V1wopSBChNoy1Efuoeu5EkMkrcBEVfRfk+YV6jygXMIpTRHyoZelFiNvzZhtaU= =IOdm -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161228213330.GM1159%40mail-itl. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Fedora-23 Software only shows already installed apps
Hi, I can install packages from Debian-8 template VM Packages app just fine. But Fedora-23 template VM doesn't have any packages available in the Software app that I don't already have installed. The only Software Sources that show up in Fedora-23 template VM Software app is "Qubes OS Repository for VM (updates)". But in Debian-8 template VM Packages app Package Sources are "Jessie (main)", "Jessie (main contrib non-free)", and "Jessie updates (main contrib non-free)". Is it supposed to be like that? Thanks -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/de7bfc2f-68e5-4816-ad67-98f0106c5c99%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to use bonjour (mDNS/DNS-SD) in a Qube?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Dec 28, 2016 at 10:14:01AM +, Fred wrote: > > So I have iTunes in a Qube -- the best place for it IMHO ;-). > > I'd like to be able to use AirPlay. Since I'm not bridged and the > AirPlay protocol uses mDNS/DNS-SD I need a way for the multicast to work > from a Qube without violating any of the Qubes careful network design. > > e.g. One idea is to have my Windows HVM have a direct non NAT'd > connection. But I'm not sure how to do this and if it's even > desirable/sensible from an isolation PoV. Direct - not-NATed network access is very hard to achieve in Qubes architecture. > Another idea is to install/enable something like avahi in fedora23 > template and then on each network devices set it to reflect. I've not > used avahi before but a) it's in fedora and even seems to be in the > default template though disabled and b) seems like it's a one liner in > its config to get cross subnet multicast working. As with most of network services - it will enlarge attack surface. As for avahi - I don't know what exactly it's capable of - for example can it be forced to remotely start other services/programs? Drill holes in firewall (like UPNP)? Or "just" service discovery? Those are questions to ask when you consider enabling network service. > But I'm not sure what > the consequences of that are. Another service enabled in the template > just to satisfy a single Qubes requirements does seem to be a bit much. You can start the service just in one Qube - simply start it in /rw/config/rc.local there (remember to make the file executable!). > Perhaps a third option is to create dedicated network infrastructure for > the Windows HVM to use (sys-net-avahi sys-firewall-avahi). You'll probably still need a single sys-net, unless you get multiple network adapters. But separate sys-firewall makes some sense. > I thought this might be a (semi)common issue and was keen to hear others > suggestions or if not maybe a pointer in how to best solve the issue of > Qubes consuming services which require cross-subnet or multicast > support. I'd imagine this could also be a problem with other similar > services (video, voice). - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJYZCUmAAoJENuP0xzK19csX/8H/iF7RTy72VXcSttW2GG1GYdS JkjIy9Q1TfSgXI5BeQS5uuqEnKTqXSKZ2TlqyGsfwwJmQWkyhbeOQ0IBK09cb8t8 bRkwcsbksecMFFjcjxHJbDgE3PpOrer0+pMN+UMRGD59Eu7fnuyCGI1Pyf3L21To yKCF+E0yiSjhGh5KjTFh5okLH+weKz6xzUDXUAZIpaYFUa8k5d4eYnTlu8HWnweW xis+6o2ZgNPFMjmnG+GriUTWEvhQhn9ycWuYLXNBmuqsaEp0+2bTfvOnAK+xhd+S t1bqrzP07y2Mswaf0265rC+XD0ka3kIqX4Zp1vALK40Vk8f8kp9dFMiQNC6wbFo= =+HnN -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161228204837.GK1159%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Q3.2 installation issues - x not starting on XPS13 HVW8J
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Mon, Dec 26, 2016 at 12:59:52PM +0100, Niels ten Oever wrote: > On 12/24/2016 01:52 PM, Niels ten Oever wrote: > > Hello all, > > > > Merry christmas and thanks a lot for your awesome work on Qubes. I have > > been trying to install Qubes R3.2-x86_64 on my XPS 13 - 9360HVW8J with a > > Intel Core i7-7500U, but I've run into some problems. (My specific > > laptop model is not mentioned in the HCL [0]). > > > > Firstly the x server is not starting. > > > > Secondly the text-based installer is running in a loop when I try set > > the installation destination I run into the following error: > > > > 'Encryption requested for LUKS device nvme0n1p2 but no encryption key > > specified for this device', which seems to be a upstream problem [0] > > > > I read about a kickstart file , but that seems to be for an older > > version (Qubes R2) [1]. > > > > Any suggestions on how I could get this working? Thanks much in advance. > > Hi all, > > Things I've tried thusfar: > > - I tried in EFI and legacy mode, > > - I verified the Internet Core I7 7500 Kaby Lake processor does VT-D and > VT-X [0] and both are switched on in the bios. > > - I've added nomodeset as a kernel option in xen.cfg > > Still no luck with getting xserver to start during install process. > > Any other hints? Would be much appreciated! The kickstart way should still work. Other thing to try, is to take out the disk, install in other machine and then put it back. Or, if that's hard for hardware reasons (for example you don't have other machine supporting nvme), install to USB stick (set the same partition size as the target disk), then transfer installed system to your target machine (just dd the whole disk). > [0] > https://ark.intel.com/products/95451/Intel-Core-i7-7500U-Processor-4M-Cache-up-to-3_50-GHz- > > [0] > > https://groups.google.com/forum/#!msg/qubes-users/-9qRHSkwfy8/CCx08nnTVEAJ > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1020345 > > [2] > > https://groups.google.com/forum/#!msg/qubes-users/-9qRHSkwfy8/CCx08nnTVEAJ > > > - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJYZCS/AAoJENuP0xzK19csnpIH/2+1s2ex2slWRE/nLQrODTQr XH95+jnTlhIE4ALUwIUzHuYtH7+D+j03A12QB1KniBN6941dvlhYin+fe1O4ld7x uc/EQOcBicCTgWmhe0bGg0b2KG4dyWN2f2ElYjYMVm8RQQxhotB2YRt3ElZflJ2A JQzCnmz1J9o/nrWGzKgpdLpDPBBwoEUvp6wC9mkNrHQ6CK6wp8a4sfKAm+2cRcFS aC6Gpo/xc9kXqKgKGX82/ZiknX4SvFVoi+q8ad1PatSBhwJtWoK9KznJ2XIm3lQv 97a4k1rnVTkH5uewRZJaxnQoOIakP+mi8g6uVrfnlf27rylJxYCr53Q9s/vWyiY= =WrMy -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20161228204654.GA9496%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] RFC: adding qubes images to the (qubes) repo
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-12-28 11:11, john.david.r.smith wrote: >>> this may be a source of errors for some users, or even insecure >>> (mitm + exchanging the master signing key information on the >>> website + patching the downloaded image). >> >> I know what you mean, but it's worth remembering that the Qubes >> Master Signing Key fingerprint is supposed to be verified >> out-of-band/multiband. So, in principle, replacing the key and/or >> fingerprint only just qubes-os.org shouldn't work as a successful >> attack vector. > > > the problem is (as you wrote) 'supposed to be verified > out-of-band'. for some less technical people, even verifying the > signature is a huge step. Yes, this is why we go to such great lengths to educate users about this. Qubes is the sort of system that places ultimate trust in users to safeguard their own security. There are too many ways for users to shoot themselves in the feet that we can't prevent. Verifying the ISO is just the first step, before Qubes is even installed. After Qubes is installed, just think about how many ways there are for a user to compromise dom0 or a TemplateVM if they're being reckless. (We try to mitigate this by cutting off all network access from dom0 and allowing network access only to the Updates Proxy for TemplateVMs, but there are still uncountable ways to harm oneself.) Ultimately, Qubes is the sort of OS where we have to educate users, and users have to be willing to be educated. It's not the sort of OS where we can always protect users from themselves. > i am a fan of providing easy accessible security and using already > existing infrastructure. Agreed. > (in case of the dom0 repo, an ultimately trusted source). > (I see that this was clarified in the other subthread.) > also depending on the situation a mitm could replace the > fingerprint of different channels, too. > The greater the number of alternative channels and the more different they are (in terms of protocol, form, ownership, control, etc.), the more difficult it would be for an attacker to replace them all. If a user is very careful (e.g., checks from multiple computers over different internet connections, VPNs, Tor circuits, Wi-Fi hotspots, searches for and checks the fingerprint on webpages, PDFs, photos, etc.), I think it would be exceedingly difficult even for a nation state attacker to substitute every instance of the fingerprint that the user could find on the internet (not to mention meatspace channels). It would almost surely be easier to mount an attack in other ways. >>> also checking signatures manually should unnecessary since a >>> package manager is build to do such stuff. >>> >>> i would propose to add the qubes-images as packages to the >>> repos. >>> >> >> Interesting idea. I wonder whether this would count as a misuse >> of the repos/package manager. >> >> One thing is that we'd like to offload most of the traffic to a >> mirror (e.g., mirrors.kernel.org, as we currently do). > > if offloading is not done for isos: ad a "qubes-images" repo > providing the files and host it on your servers. > We *do* want to (and currently do) offload most of the ISO-download traffic onto third-party servers, since they're better able to handle the load. This is why we provide mirrors.kernel.org as the default download source for Qubes ISOs. > if offloading is done for isos: ship the master key with qubes and > provide a convenience command to the user. this command should > download (e.g. via torrent) and verify the image (a step the user > can'd do wrong anymore). this command could spawn a dispvm, > install torrent software, load the torrent and copy it to dom0. > from there the user could qvm-copy it to the vm with the install > medium. > This is a different proposal, and it would be a much larger undertaking. It's certainly not something that the core Qubes devs have time to do, so it would have to be a community-developed feature. Would you like to take this project on? >>> maybe you could get other official repos to add them, too. >>> (debian (+ubuntu), fedora and arch should reach a significant >>> portion of the linux users) >> >> Another interesting idea. I've never heard of a distro adding a >> different OS's ISO as a package of their own, though. > > asking can't hurt. > Well... why don't you ask them, then? :) After all, Qubes is free and open-source software. You don't need our permission to distribute it. :) - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYZCMdAAoJENtN07w5UDAwBSMP/jhfnxe9QGFU4JzCyuoLtKHK XfUAPibLUeSmum0lL0UpV9y3+v0gk0aKMVIXz4emthUSLjHgyTA8NmMzzqPXDl2g YQQ0geO6aHgKNi2EM7V0ga/+o1jM96eS1DOzTEhvgcICBx14NpCG9E0zMs6NyS0n n+nhqvp3/+sislXnTdVD71jWyfPTwIvubg3hHtle0ly5i+9iMb5nd0X7DCZy4Kga 1/OD6G4Ijpg5hRV6nJMYrrzh6vQX+E17M6dLNfddFXFJbiQZBTJYZvVnFS74uL86
Re: [qubes-users] RFC: adding qubes images to the (qubes) repo
the problem is (as you wrote) 'supposed to be verified out-of-band'. for some less technical people, even verifying the signature is a huge step. i am a fan of providing easy accessible security and using already existing infrastructure. (in case of the dom0 repo, an ultimately trusted source). I'm weary of calling the dom0 repo an ultimately trusted source, as it implies trust in all the related infrastructure (DNS, CAs, etc.) Package managers follow a trusted objects model. Each package's signature is verified before installing, meaning trust of the repo is not required. ok, i was a bit imprecise. i meant: packages loaded and verified (via signatures) from the repo for dom0 can be considered ultimately trusted. if one of the installed packages of the dom0 repo is compromised, we have an attacker in do0 and it is game-over. so we can assume these packages are ultimately trusted. In either case however, a signing key must be distributed in such a fashion that it can be verified and, as such, Im not sure if this offers anything other than a wrapper around the signature verification step. if you distribute the key with the os and it is living in dom0, it can only be changed by someone in dom0 -> game-over so: if the key is compromised, you cant trust anything on this machine either it was somehow compromised during usage, or it was compromised from the beginning (via a compromised installation image) if the key is in dom0 and you want to verify it over a different channel, you can load it into some vm and do this there. the wrapper-function to download and check images is just convenience for a non-technical user. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e0f4abff-a9d0-a1f4-72f3-c26ae643ab19%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] RFC: adding qubes images to the (qubes) repo
>the problem is (as you wrote) 'supposed to be verified out-of-band'. >for some less technical people, even verifying the signature is a huge >step. >i am a fan of providing easy accessible security and using already >existing infrastructure. (in case of the dom0 repo, an ultimately >trusted source). I'm weary of calling the dom0 repo an ultimately trusted source, as it implies trust in all the related infrastructure (DNS, CAs, etc.) Package managers follow a trusted objects model. Each package's signature is verified before installing, meaning trust of the repo is not required. In either case however, a signing key must be distributed in such a fashion that it can be verified and, as such, Im not sure if this offers anything other than a wrapper around the signature verification step. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/E25AD111-9DFC-4072-A294-AEECDB5FDA0A%40kulinacs.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] RFC: adding qubes images to the (qubes) repo
this may be a source of errors for some users, or even insecure (mitm + exchanging the master signing key information on the website + patching the downloaded image). I know what you mean, but it's worth remembering that the Qubes Master Signing Key fingerprint is supposed to be verified out-of-band/multiband. So, in principle, replacing the key and/or fingerprint only just qubes-os.org shouldn't work as a successful attack vector. the problem is (as you wrote) 'supposed to be verified out-of-band'. for some less technical people, even verifying the signature is a huge step. i am a fan of providing easy accessible security and using already existing infrastructure. (in case of the dom0 repo, an ultimately trusted source). also depending on the situation a mitm could replace the fingerprint of different channels, too. also checking signatures manually should unnecessary since a package manager is build to do such stuff. i would propose to add the qubes-images as packages to the repos. Interesting idea. I wonder whether this would count as a misuse of the repos/package manager. One thing is that we'd like to offload most of the traffic to a mirror (e.g., mirrors.kernel.org, as we currently do). if offloading is not done for isos: ad a "qubes-images" repo providing the files and host it on your servers. if offloading is done for isos: ship the master key with qubes and provide a convenience command to the user. this command should download (e.g. via torrent) and verify the image (a step the user can'd do wrong anymore). this command could spawn a dispvm, install torrent software, load the torrent and copy it to dom0. from there the user could qvm-copy it to the vm with the install medium. maybe you could get other official repos to add them, too. (debian (+ubuntu), fedora and arch should reach a significant portion of the linux users) Another interesting idea. I've never heard of a distro adding a different OS's ISO as a package of their own, though. asking can't hurt. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/b9970659-6d3d-5fa8-4659-ee94648cb38e%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Split GPG: thunderbird+enigmail stopped cache password
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-12-28 06:41, 5qtbx9+9hwav8wa98xp4 via qubes-users wrote: >> In that case, there's no need to change the documentation, since >> it already works as described (i.e., without a key passphrase). > > Before the update was working fine with the password. Now the > QUBES_GPG_AUTOACCEPT is no longer respect as one have to type in > the password every single time. With all due respect, you are not > trying to convert a bug into a feature and claiming that this is > the expected behavior, right ? > Look, we've already explained (multiple times, in this very thread) that PGP key passphrases may have to be disabled in order to get Split GPG to work and why this is the case. Split GPG was designed with the expectation that there would be no passphrase on the key. If it worked well with a passphrase before the update, that was a fortuitous coincidence. If, after the update, it no longer works well with a passphrase (but still works just as well without one), then this simply doesn't qualify as a bug according to the original design. You've identified a certain property that used to exist but that was never intended as a feature. Now that this property has ceased to exist, you're claiming that a feature is missing and that a bug has been introduced. That simply doesn't follow. I understand that you want to use a passphrase on your key despite our arguments against it (and despite offering no counterargument), and I respect that. It's your right to do with your keys as you please, whatever your reasons might be. However, I'm afraid Split GPG simply wasn't intended to accommodate you. If you'd like Split GPG to support keys with passphrases, then you're more than welcome to submit a patch that implements it, and we'd be grateful for your contribution! - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYZAsUAAoJENtN07w5UDAwvQAP/jL0Vx13c/W5JNSjsYW0zb+3 6sc7P3KuNmFDpsgHC0R5kMpM1BtlDS9NNI4f8A6wa5U8lAJODWgi3ijzOoqX95yj uTND54KYpUQF/TrTEWypsg08QxCXBWKeiKc9YGw68ArnjDWG4s6apN+ug1VTu4Ww N1ATnPnfKR1kLW+CogIuoMS3jdHG6c5YVAUyjFt0Q61LgCoFf4t3VvkyY9k47G9i 7UIOf59brpmzmri5dCxKqdglTKjc1LRKpV4ETY5mZB1pslRnL+qeQpjhBJQrO6E0 DXzd2xWVHbfEhQNDoKo83+XUS5jlfxA/hqxLmP2OMCZQQeklHQRIlcqd6GlYUlUi 0LH5v16mrfLjE1n5Oj5X/ItOmy9DePnnc21DyYtrO5qAUgbtyfhOcsu+rpZv7O7S nQUJ8Lcox/pnw0C/sdgOp6z71kQkkP9CLgcL9+Dcsz7iGlUuaELiOTSG52jjzjUB h02M1u5C68m0uDjNF1jcIdsxB75pKEdAx3m8yShTqsZzMeS3VCyMwsci4G8ly2Ql 6WOFyOZw81BvhnF0UWSOhbqPiZQgXhxymjzz8FPSKjyLCJwOFKwb0sbJgamEihw9 sWrP8ZLee4fezT9QeiwzvslhESFd94nfNajPNSiNnLYjo/4x1Wo/ulpUcNQPVQhk KNdYET1qD9EG/AcvqamW =qoFo -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3972e707-ceea-7e2b-7e72-670a1ce3cc5e%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] RFC: adding qubes images to the (qubes) repo
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 2016-12-28 04:39, john.david.r.smith wrote: > currently when i have qubes and need a new image (e.g. to > reinstall/install on a new machine), i need to download the image > from qubes-os.org and then check the signature. > > this may be a source of errors for some users, or even insecure > (mitm + exchanging the master signing key information on the > website + patching the downloaded image). I know what you mean, but it's worth remembering that the Qubes Master Signing Key fingerprint is supposed to be verified out-of-band/multiband. So, in principle, replacing the key and/or fingerprint only just qubes-os.org shouldn't work as a successful attack vector. > also checking signatures manually should unnecessary since a > package manager is build to do such stuff. > > i would propose to add the qubes-images as packages to the repos. > Interesting idea. I wonder whether this would count as a misuse of the repos/package manager. One thing is that we'd like to offload most of the traffic to a mirror (e.g., mirrors.kernel.org, as we currently do). > maybe you could get other official repos to add them, too. (debian > (+ubuntu), fedora and arch should reach a significant portion of > the linux users) > Another interesting idea. I've never heard of a distro adding a different OS's ISO as a package of their own, though. > also: is the public qubes master signing key somewher in dom0? in > case a user has not saved it, this could circumvent the problem of > an mitm exchanging the information about the signing key > I recall someone suggesting this a long time ago, and I (think I) also recall Marek doing it, but I can't find the original thread or issue, and I don't see the key in `/etc/pki/rpm-gpg/`. Tracking: https://github.com/QubesOS/qubes-issues/issues/2544 - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJYZAb2AAoJENtN07w5UDAwVmYQAL2DSynbnJaceUIR2Mv2hvCz 7lS6oq/4HIpUtj1DJbib041EniapfId/LFzZKeh5FoE2bEkhrBRezW2A5TG6N4Dt AKtK9Vgtj84MEP8E2eb2xMyANZ2WXtCeEYN9n4lOKzx8ETg1ZS0r054CYA3lSsWk oLuJO59RcSjXUMaP4Myj0KkOnYpT8+N/fhzB6aps8sG1TK1AlyAsnMygCQfMmkdp k6apddL2E1ivEhvZKXN27dKbLxR12IMMDYKBzqb1edGTh4FaJ/4ulKPfFgAOiKQj biWK+/75LCecNHkuPeEKtt3LdWqfIqNFTjLLgoTn3QpTeIIbx8Gf/lDIWLh/G7uJ TXFpo9J94Ra1UB44zt5/D7NqK/n6jxDPM5pbYZrbgVacZ8nRxNCAW3jSJEhqMK75 2Pmx+0MGd29M6kb9Iawk34KdmW3dGt7Mmqp44ZRtgErVkRvwuF6SLqnotH8Sp0W4 lzW2RU+ZTt5UBin1HsWGiN4bljUhGBbC3m88lywp3XIwa0q13H9+cSywXzj52JID quCS4UXe2uLazDCMES8QJzhSAim17PlO3LXmr5X0iuh7CUB6SOyXqbF/HrDmRKMA 3Be1wU7+vK/NGnSCD4X5ArIPou02UTjxyebciCHu1uKQKVHC2UE/YHHL+Opxw8td Ex9Yvsv9l3hNJ0bjv+O+ =3jP9 -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bc34e4b7-84a6-25c7-e24e-719a28a8b36b%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Problem copying something from the work VM to dom0
On 12/28/2016 11:35 AM, 5qvig7+72wbojzjmyk1fzj62f3msv2h6s8ffn8 via qubes-users wrote: Hello everyone; I'm trying to copy a file from my work VM to dom0, I followed the doc on this matter https://www.qubes-os.org/doc/copy-from-dom0/ So I used the following line, qvm-run --pass-io work 'cat /home/user/Downloads/theme.tar.gz' > /Downloads/theme.tar.gz The directory /Downloads likely does not exist, so the redirection > can not create a file there, even as root. Try "> ./Downloads/theme.tar.gz" instead and it may work for you, assuming you are in the home directory which has a Downloads subdirectory off of it. Steve C. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/73ec9046-2508-1f0b-235a-5588373982e9%40jhuapl.edu. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Problem copying something from the work VM to dom0
Hello everyone; I'm trying to copy a file from my work VM to dom0, I followed the doc on this matter https://www.qubes-os.org/doc/copy-from-dom0/ So I used the following line, qvm-run --pass-io work 'cat /home/user/Downloads/theme.tar.gz' > /Downloads/theme.tar.gz However I get this error: bash: /Downloads/theme.tar.gz: No such file or directory Even when I use sudo qvm-run ...etc I get the same error. How can I fix this? Thanks and Happy end of the year! Best wishes! Sent using Guerrillamail.com Block or report abuse: https://www.guerrillamail.com/abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9e30d77f392879874b93ec512c3c5d20e67%40guerrillamail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: Split GPG: thunderbird+enigmail stopped cache password
In that case, there's no need to change the documentation, since it already works as described (i.e., without a key passphrase). Before the update was working fine with the password. Now the QUBES_GPG_AUTOACCEPT is no longer respect as one have to type in the password every single time. With all due respect, you are not trying to convert a bug into a feature and claiming that this is the expected behavior, right ? The minimal template has a smaller attack surface in general, but it doesn't come with Split GPG pre-installed. There is probably not a significant difference, since the Split GPG protocol tightly controls inter-VM data transfer. There is no general recommendation here, since the degree to which the full vs. minimal template attack surface matters depends on your threat model. For some people, it makes more sense to save the disk space by not having an extra minimal template for it. Thank in that case I'll opt to choose the fedora 24 normal template. Sent using Guerrillamail.com Block or report abuse: https://www.guerrillamail.com/abuse/?a=UFR2AB5NVqcQmh2U93EQdRjCStifx8dDiadNcQ%3D%3D -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/780582b365e6e9715bac1b161e9ab71a2b29%40guerrillamail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] RFC: adding qubes images to the (qubes) repo
currently when i have qubes and need a new image (e.g. to reinstall/install on a new machine), i need to download the image from qubes-os.org and then check the signature. this may be a source of errors for some users, or even insecure (mitm + exchanging the master signing key information on the website + patching the downloaded image). also checking signatures manually should unnecessary since a package manager is build to do such stuff. i would propose to add the qubes-images as packages to the repos. maybe you could get other official repos to add them, too. (debian (+ubuntu), fedora and arch should reach a significant portion of the linux users) also: is the public qubes master signing key somewher in dom0? in case a user has not saved it, this could circumvent the problem of an mitm exchanging the information about the signing key -john -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a04c000f-b0c1-55e4-535f-50cc2e44b2ed%40openmailbox.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] How to use bonjour (mDNS/DNS-SD) in a Qube?
Oh forgot to add. I did try setting the NetVM for the Windows HVM to sys-net to no avail. Thought that might give a non-NAT'd direct connection. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/6d70a1ea-90c8-fee7-29a2-36b93f91c055%40gmsl.co.uk. For more options, visit https://groups.google.com/d/optout.
[qubes-users] How to use bonjour (mDNS/DNS-SD) in a Qube?
So I have iTunes in a Qube -- the best place for it IMHO ;-). I'd like to be able to use AirPlay. Since I'm not bridged and the AirPlay protocol uses mDNS/DNS-SD I need a way for the multicast to work from a Qube without violating any of the Qubes careful network design. e.g. One idea is to have my Windows HVM have a direct non NAT'd connection. But I'm not sure how to do this and if it's even desirable/sensible from an isolation PoV. Another idea is to install/enable something like avahi in fedora23 template and then on each network devices set it to reflect. I've not used avahi before but a) it's in fedora and even seems to be in the default template though disabled and b) seems like it's a one liner in its config to get cross subnet multicast working. But I'm not sure what the consequences of that are. Another service enabled in the template just to satisfy a single Qubes requirements does seem to be a bit much. Perhaps a third option is to create dedicated network infrastructure for the Windows HVM to use (sys-net-avahi sys-firewall-avahi). I thought this might be a (semi)common issue and was keen to hear others suggestions or if not maybe a pointer in how to best solve the issue of Qubes consuming services which require cross-subnet or multicast support. I'd imagine this could also be a problem with other similar services (video, voice). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/d13245ad-a55c-3ce5-8c9d-75da72c37f64%40gmsl.co.uk. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Synaptic touchpad not working through usbVM
Hi all, My touchpad doesn't work now that I've started using a usbVM. If I attach a USB mouse I get a prompt asking me if I wish to allow it. For the touchpad no prompt and it doesn't work even if I set the RPC policy for InputMouse to allow. Thoughts? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c568c8ac-c8f6-8fda-be1c-847907c9574a%40gmsl.co.uk. For more options, visit https://groups.google.com/d/optout.
[qubes-users] VMs die when screen is locked for too long
I've noticed this problem a few times now: If the screen is locked for too long (this problem doesn't seem to occur if I unlock the screen a short time after the screen locking) when I unlock the screen the VMs that were running are now in a yellow state. There is an error message about error reclaiming memory or something like that. The memory in use for the VMs still seems to be there and the CPU is on 0%. Does this sound like some known open issue? I'll grab more details the next time it happens. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/08a8f325-486a-cb5b-fe55-72ba1417b80e%40gmsl.co.uk. For more options, visit https://groups.google.com/d/optout.